New Western Digital My Cloud Bugs Give Local Attackers Root on NAS Devices

Researchers disclosed two new vulnerabilities in Western Digital My Cloud network storage devices on Thursday that could allow a local attacker to delete files stored on devices or allow them to execute shell commands as root.

Researchers at Trustwave disclosed the vulnerabilities, which come on the heels of disclosure by security firm GulfTech that reported critical vulnerabilities, including a hardcoded backdoor, in 12 Western Digital (WD) My Cloud devices.

The first (arbitrary command execution) vulnerability is tied to a common gateway interface script called “nas_sharing.cgi” used in the My Cloud firmware that allows any local user to execute shell commands as root on affected devices. The second (arbitrary file deletion) flaw, also related to a common gateway interface script “nas_sharing.cgi”.

“These vulnerabilities are likely not publicly exposed to the internet and would likely be exploited via the local network only,” said Martin Rakhmanov, security research manager at Trustwave SpiderLabs.

“The attacker would likely scan the network and would find the My Cloud device listening on TCP/80. At that point the attacker would have full control of a vulnerable device as well as full access to all data on the device,” he said. “Since these devices are used to centrally store and backup data, it is likely that data there is highly valued by an owner.”

Trustwave worked with WD on disclosing the vulnerabilities. According to researchers, both vulnerabilities are patched with a device firmware (version 2.30.172 ) update, released on Nov. 16, 2017. Confirmation of the patches from Western Digital wasn’t until Jan. 23, 2018.

“While we reached out at various points in time to (Western Digital), they were often non-responsive or asking for more delays when they did respond. When they finally released the patch in November and did not alert us. We found out the firmware was released only after reaching back out to them this month,” Rakhmanov said.